Description
In Tortoise ORM before versions 0.15.23 and 0.16.6, various forms of SQL injection have been found for MySQL and when filtering or doing mass-updates on char/text fields. SQLite & PostgreSQL are only affected when filtering with contains, starts_with, or ends_with filters (and their case-insensitive counterparts).
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/tortoise/tortoise-orm/security/advisories/GHSA-9j2c-x8qm-qmjq
Patch, Third Party Advisory x_refsource_misc
https://github.com/tortoise/tortoise-orm/commit/91c364053e0ddf77edc5442914c6f049512678b3
Scores
CVSS v3
6.3
EPSS
0.0104
EPSS Percentile
59.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Details
CWE
CWE-89
Status
published
Products (2)
pypi/tortoise-orm
0 - 0.15.23PyPI
tortoise_orm_project/tortoise_orm
< 0.15.23
Published
Apr 20, 2020
Tracked Since
Feb 18, 2026